Make money make sense
M Make every penny count. Get the best deals, avoid scams and grow your savings with expert guidance for only £49 a year.
Join Which? MoneyCard fraud in 2026: the threats you need to know about
Card fraud is rising despite tougher security checks – here's how to stay safe
For a while, it appeared the tide had turned on card fraud. But criminals are gaining ground again, despite security checks designed to stop them in their tracks.
Banks say cardholders are being tricked into giving away the keys to their own financial front doors, yet we’ve previously exposed security flaws that help scammers hijack digital wallets, spend money on cancelled cards and set sneaky subscription traps. So, what needs to be done?
Here, we look past the headline figures to examine emerging tactics and how banks are shoring up their defences.
How fraudsters get hold of your card details
Card fraud has affected 14% of UK adults in the past two years, climbing to 20% for 25-to-34-year-olds, according to our recent survey.
Many cited tactics such as fake adverts on social media (25%), search engines (21%) and phishing emails (18%). However, 25% said they didn't know how the fraud occurred.
Card-not-present fraud – that is, unauthorised remote purchases made over the internet, phone or mail order – has long been the main culprit.
Online security checks, such as one-time passcodes (OTPs) or banking app verification for risky transactions, briefly deterred card fraudsters. But the case volume reached record highs in 2025, up 13% year-on-year to 3.2m. Losses are also up 3% to £423.5m.
While banks say many customers are tricked into sharing OTPs with scammers, card details can also be compromised through no fault of our own.
They might be leaked through data breaches, stolen by pickpockets and skimming devices placed at ATMs, or captured by malware-infected browsers, websites and point-of-sale systems.
Reports estimate that 142m stolen card records were posted for sale on the dark web in 2025.
The biggest prize is a ‘Fullz’ package – slang meaning a complete dossier of an individual’s sensitive data, including their bank login details, card numbers, email address and any other information an attacker could use to their advantage.
- Find out more: My card has been lost or stolen and used to purchase goods
How overseas scammers target UK cardholders
The astronomical rise of internet sales means the door is now wide open to international scammers.
Subscription scams have proved to be particularly persistent. Many victims report finding recurring card payments to foreign firms they’ve never heard of, with no memory of how their details were compromised.
We’ve unmasked many tactics, such as fake QR code stickers linked to phishing websites at car parks, copycat apps advertised on search engines and bogus shopping deals spread via social media.
Refunds are by no means guaranteed either, because banks and other payment firms treat these as authorised transactions, failing to acknowledge that the ‘authority’ was only gained through misleading ads and other underhand tactics.
It’s clearly a struggle to keep a lid on rogue foreign businesses – in 2024, a staggering 75% of card-not-present fraud linked to online sales was processed by overseas merchant acquirers (the financial firms that enable businesses to accept credit and debit cards).
Scammers are sly, too, obtaining a whole series of merchant accounts across different markets, switching between them to avoid hitting the thresholds that might have them (or their acquirer) banned.
5 card fraud tactics to be aware of
- Sim swap A fraudster tricks your mobile network into transferring your number to a Sim card in their control. They can then intercept one-time passcodes from your bank and gain access to online banking, stealing your card details and setting up mobile wallets. We want networks to do more to protect customers.
- Cloning Data from your card is stolen from the magnetic strip without your knowledge and placed onto a blank card. This can happen at ATMs where an illegal device has been fitted by criminals; an accompanying hidden camera records your Pin as you input it.
- Subscription scams You think you’re making a one-off payment or signing up to a free trial with a legitimate merchant, but in reality it’s a rogue site that has signed you up to a recurring payment for a non-existent, useless or hugely overpriced service.
- Digital wallet scams A fraudster adds your stolen card details to a digital wallet (such as Apple Pay, Google Wallet or Samsung Pay) on a device they control. They can then spend in person or at the thousands of online shops integrated with Apple Pay and Google Wallet.
- SMS scams A text impersonates a well-known organisation (such as Royal Mail or HMRC) and falsely claims you need to pay a charge or fine. You’re encouraged to click through to a scam website and input your payment and personal details. Learn how to spot a text message scam.
Can the industry keep up with fraudsters?
The banking industry has a long history of playing cat and mouse with fraudsters. After the launch of Chip and Pin in 2006 to combat card theft and cloning, criminals quickly turned to using stolen card details remotely, buoyed by the surge in online shopping.
Strong customer authentication ironed out many flaws and standardised security, although the Home Office recently announced plans to repeal these technical standards to ‘support the adoption of new technologies’ and enable firms to apply ‘proportionate, risk-based measures for low-risk transactions’.
Balancing security and modern demands for speed and convenience requires a deft hand, and fraud teams are under relentless pressure to match their defences to criminals’ ever-evolving tactics.
Data analysis is the key to fighting fraud in the digital age. Banks can measure the likelihood of transactions being safe, by using machine learning models to spot suspicious activity the moment it happens.
‘One of our successes has been monitoring test transactions,’ says Jim Winters, Nationwide’s director of economic crime. ‘Scammers tend to test a bunch of card details all at the same time. So we might see a raft of them coming in, which gives the game away.’
Anomalous behaviour is another way the industry can detect fraud, using in-house tools and intelligence, or working with companies such as BioCatch, Cleafy, LexisNexis and ThreatFabric.
Banks should be able to build a highly detailed digital profile of your typical behaviours, recording how you type, how you touch your screen and which wi-fi network or browser you prefer to use. Your bank should be looking for signs that you’ve been hacked, as well as evidence that you might be being coached by scammers - for example, by detecting that you are on a call at the time of a transaction.
Winning this arms race will also require collaboration across the banking industry and other sectors. 'Cybercriminals don’t just stay in one lane', says Mike Nathan of LexisNexis Risk Solutions. ‘They are channel agnostic – it’s the whole ecosystem that they’re attacking.’
If we’re really going to tackle card fraud and other threats at scale, simply warning customers not to share passcodes isn’t going to cut it.
How to protect yourself from card fraud
There's a lot you can do to protect yourself from card fraud, starting with turning on two-factor authentication (2FA) for all of your online accounts, ideally using passkeys or authenticator apps (supported by Apple, Google, Microsoft and Samsung).
You should make the most of any fraud prevention tools offered by your bank, such as instant card freezing and other controls – some bank apps let you turn off remote purchases and contactless payments if you’re worried your card details have been stolen or added to a digital wallet.
When you're shopping or adding sensitive data online, scrutinise website URLs carefully and avoid clicking on links sent in unsolicited messages, shared on social media, or advertised on search engines. You can check the domain age before you enter your card details online, using lookup tools such as Who.is – be even more suspicious of newly created websites.
Virtual debit cards are offered by Chase, Monzo, NatWest Group, Revolut and Starling, so that you don’t share real card details with unfamiliar (and therefore risky) websites.
Keep your devices safe, making sure you've installed the latest software updates to help protect them from viruses and malware. Don't use an unsupported device for banking, because it no longer gets important security updates.
You can secure your mobile account by asking your network to add a secondary Pin or password that must be provided before it issues a Sim swap or PAC. And to protect your phone, add a unique Pin to your Sim, disable preview notifications, which could be viewed by a thief, and use Google’s Find My Device or Apple’s Find My iPhone.
- Find out more: 5 things I would never do as a banking and scams expert
The figures in this article are based on a survey of 2,079 members of the public and are representative of the UK population aged 18+. Data collection was conducted online in March 2026.
